Last Updated: June 2022
We may collect and process “Personal Data” (which is defined as any data that identifies or can be used to identify you) about you when you visit the site, install, download, access, register for or use the app, use our Services, or contact us in relation to the Services. The nature of the Personal Data that we may collect, and process will be determined by how you are using our Services. For example, where you are accessing, registering or using the app, we will collect less Personal Data than when you sign up and create an account to use our Services. We will only use your Personal Data as set out below and always in accordance with applicable data protection laws. While we are not based in the European Economic Area ("EEA") we also comply with the European Union's General Data Protection Regulation 2016/679 (the “EU GDPR”) together with the version of the EU GDPR which is incorporated into the domestic law of the United Kingdom (the “UK GDPR”) (the EU GDPR and the UK GDPR are collectively referred to as the "GDPR").
We do not collect, and please do not provide to us, special categories of Personal Data (as defined in the GDPR), which means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic and biometric data, or data concerning health, sex life or sexual orientation.
NOTE: Our Services are not intended for use by HIPAA covered entities for the transmission of Protected Health Information, nor intended for the transmission of sensitive information such as payment card or financial information (except when making a purchase), so please do not share this information with us.
Information that you provide to us:
We collect Personal Information that you voluntarily provide to us when you use our Services. For example, you may provide us with your contact information such as your email address, first name and last name, phone number, or other Personal Information when you choose to submit such information to us through email, an online form, or other method (such as subscribing to our newsletter). Such information may include (by way of a non-exhaustive list):
Information that we automatically collect or generate about you:
When you use our Services, we automatically receive and collect information about you and your device. This includes (by way of non-exhaustive list):
Information we obtain from other sources:
We sometimes collect Personal Data provided to us by third-parties, service providers, agencies or other publicly available sources where applicable. This includes (by way of non-exhaustive list):
Aggregate information is information that does not identify you. Aggregate information may be collected when you use our Services, independent of any information you voluntarily enter. Additionally, we may use one or more processes to de-identify information that contains Personal Data, such that only aggregate information remains. We may collect, use, store, and transfer aggregate information without restriction.
In general, we collect Personal Data from you so that we can provide our Services, operate our business, and provide information that you request from us. This includes the following ways and for the following purposes:
We may additionally use your data when it is necessary to do so (in all cases in accordance with applicable data protection laws), including for the following purposes:
We may disclose your Personal Data to other companies within our group for the purposes set out in "What is this data being used for?" above, as well as to law enforcement and regulatory agencies as may be required by law.
If you use certain features in the Services, such as note sharing or collaboration features, the information contained in the content that you share, which will include any Personal Data contained in such content, will be shared with the individuals that you select. We will not share your information this way unless you direct us to do so through your use of the Services.
We may also disclose and transfer your Personal Data (whether in Hong Kong or abroad) to our agents, contractors or vendors ("Service Providers"). When we do this, we will ensure that they are under a duty of confidentiality to us and we have imposed contractual obligations to ensure they can only use your Personal Data to provide agreed services to us and to you. Such Service Providers may provide administrative, data processing or other similar services to us to enable us to better provide the Services. We may also provide your Personal Data to actual or proposed assignees or transferees of our rights with respect to you in connection with a merger, sale or transfer (whether of assets or shares). In particular, certain of the specific third parties that we disclose data to include:
We may also transfer or disclose your Personal Data to third parties under the following circumstances: (i) to comply with a legal requirement, law, subpoena, judicial proceeding, court order, governmental request, or legal process; (ii) to investigate a possible crime, such as fraud or identity theft; (iii) in connection with the sale, purchase, merger, asset sale, financing, reorganisation, liquidation or dissolution of GoodNotes; (iv) when we believe it is necessary to protect the rights, property, or safety of GoodNotes or other persons, or (v) as otherwise required or permitted by law, including any contractual obligations of GoodNotes.
How long we will hold your Personal Data for will vary and will be determined by the following criteria:
We are a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer Personal Data on a global basis. That means that we may transfer your Personal Data to locations outside of your country.
Where we transfer your Personal Data to another country outside the UK and / or EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside the UK and / or EEA, for example, this may be done in one of the following ways:
You can obtain more details of the protection given to your Personal Data when it is transferred outside the UK and / or EEA (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as referred to in the “More Questions” section below.
We will use reasonable technical and organisational measures designed to safeguard your Personal Data, for example:
In addition, we have reasonable security measures in place designed to prevent Personal Data from being accidentally or unlawfully lost, used or accessed. We limit access to your Personal Data to those who have a genuine business need to access it. We take steps designed to ensure that those processing your Personal Data will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to respond to data security breaches. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
However, since the Internet is not a 100% secure environment, we cannot guarantee, ensure, or warrant the security of any information, including Personal Data, you transmit to us. There is no guarantee that information, including Personal Data, may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.
If you give us information on behalf of someone else, you confirm and represent that you have the consent of such person to do so and such person has appointed you to act on his/her behalf to:
Our Services are not directed at children under 16 and we do not knowingly collect Personal Data from children under 16. If you are the parent of a child under the age of 16, and you believe he or she has shared Personal Data with us, please contact us so we can remove such information from our systems.
This section applies to residents of the European Economic Area and the United Kingdom. Under certain circumstances, you may have rights under data protection laws in relation to your Personal Data which you can exercise free of charge. These rights include:
If you wish to exercise any of the above rights, or make any related complaint or request in relation to your Personal Data, please contact us by using the contact details in the “More Questions” section below.
Further information about your rights may be obtained by contacting the supervisory data protection authority located in your jurisdiction.
If you are a resident of California, this section applies to you and is intended to provide certain information to you as required by the California Consumer Privacy Act of 2018 (CCPA). When we use the term “personal information” in this section, we are referring to information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household such as:
Please note that we are not required to:
You also have the right to request that we disclose certain information to you about our disclosures and sales of your personal information. Such information shall cover the 12-month period preceding our receipt of your request. Upon our receipt of your verified request, we will provide you with the following:
Right to Deletion
You have the right at any time to request that we delete your personal information. However, in some cases we cannot delete all or some of your personal information as required or permitted by applicable laws.
Protection Against Discrimination
You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means that we cannot, among other things:
Information We May Collect
In the preceding 12 months, we may collect categories of personal information listed below. For more details about the specific data points we may collect, please see the “What kind of data is being collected” section above.
Our sources for this information are detailed in the “What Kind of Data is Being Collected” section above.
Our business purposes for collecting this information is detailed in the “What is this Data Being Used for” section above.
Third parties we share this information with are detailed in the “Who is my Data Disclosed to” section above.
How to Contact us to Exercise Your CCPA Rights
To submit a request to exercise your “Right to Know” or “Right to Delete” rights provided in this notice, please email us at Ms Nebahat Arslan via firstname.lastname@example.org or Support Services via email@example.com. We will evaluate the request and take action where required to do so.
We will confirm receipt of your request within 10 business days and will provide information about how we will process your request. We endeavour to respond to your request as soon as we can, within the timeframes permitted under the CCPA. If we are not able to respond to your request within 45 days, we will let you know that we may require additional time (up to 90 total days).
Verification of Requests and Authorised Agents
We may have to verify your identity when you contact us to exercise your “Right to Know” or your “Right to Delete.” Our verification process may vary depending on the nature of your request. However, generally, we will verify your request by asking you to:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you.
You may also use an authorised agent to exercise your rights on your behalf. If you wish to use an authorised agent to make a request on your behalf, unless you have provided the authorised agent with power of attorney, we may require that: (1) you provide your authorised agent signed permission to do so; (2) you verify your identity; and (3) you confirm that you have provided the authorised agent permission to submit the request. We may deny any request from an authorised agent that does not submit proof that they have been authorised by you to act on your behalf
Your authorised agent may make a request on your behalf by contacting us at firstname.lastname@example.org.
Types of Cookies and purposes
Cookies on the GoodNotes Learn and Services are generally divided into the following categories:
Although we do our best to honour the privacy preferences of our visitors, we are not able to respond to Do Not Track signals from your browser.
We commit to resolving complaints about our collection or use of your Personal Data. Individuals with inquiries or complaints should first contact email@example.com.
You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details here for individuals located in the United Kingdom.
You may unsubscribe from GoodNotes marketing communications at any time by following the “unsubscribe” link at the bottom of any such communication. Most promotional communications will also offer recipients choices about receiving additional messages.
We endeavour to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the registered email associated with the account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.